Colubris networks Cn3000 Service manual

CN3000

Administrator’s Guide

Twelfth Edition V2.1 (August 2004) 43-10-3000-12

Colubris is a registered trademark of Colubris Networks Inc.

Microsoft, Windows, Windows 2000, Windows NT, Windows XP, Internet Explorer, and

the Windows logo are either registered trademarks or trademarks of Microsoft

Corporation in the United States and/or other countries.

All other names mentioned herein are trademarks or registered trademarks of their

respective owners.

Changes are periodically made to the information herein; these changes will be

incorporated into new editions of the document.

reproduce this document or parts thereof in any form without permission in writing from

Colubris Networks, Inc.

Colubris Networks Inc.

200 West Street (Suite 3)

Waltham, MA 02451, USA

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Table of Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Table of Contents

Chapter 1

Introduction 9

How to use this guide ................................................................................10

Feature summary .......................................................................................11

Wireless radio......................................................................................11

Compatibility........................................................................................11

Networking ..........................................................................................11

Security................................................................................................12

Authentication and accounting.............................................................12

Management ........................................................................................12

Interfaces.............................................................................................12

Operating Environment ........................................................................12

Regulatory Approvals...........................................................................12

Package contents.......................................................................................13

Technical support.......................................................................................13

Syntax conventions....................................................................................14

Chapter 2

How it works 15

Integrated access point and access controller ...........................................16

Scalable solution........................................................................................17

Simple installation ...............................................................................17

Multi-site installation ...........................................................................18

Multi-area installation ..........................................................................19

The public access interface........................................................................20

Logging in............................................................................................20

Customizing the public access interface ..............................................21

Connecting customers ...............................................................................22

Security................................................................................................22

Proxy server support ...........................................................................22

Email redirection..................................................................................23

Quotas .................................................................................................23

Customer authentication............................................................................24

Location aware.....................................................................................24

Authentication methods .......................................................................24

Management tool .......................................................................................26

Management station ............................................................................26

Management scenarios........................................................................26

Starting the management tool..............................................................27

Security................................................................................................28

Wireless coverage......................................................................................30

Factors limiting wireless coverage .......................................................30

Virtual access points............................................................................31

Maximum wireless client stations........................................................31

Security................................................................................................31

Configuring overlapping wireless cells.................................................31

Building multi-cell wireless networks...................................................35

Conducting a site survey......................................................................36

Identifying unauthorized access points................................................36

Address allocation .....................................................................................37

Default addresses ................................................................................37

Addressing options..............................................................................37

Host name ...........................................................................................37

Connecting to a wired LAN ..................................................................38

Connecting to the Internet ...................................................................39

The RADIUS server....................................................................................40

CN3000 authentication.........................................................................40

Customer authentication......................................................................40

Administrator authentication................................................................40

Connecting to a RADIUS server...........................................................40

More information .................................................................................41

Firewall ......................................................................................................42

Firewall presets....................................................................................42

Firewall configuration...........................................................................43

Customizing the firewall.......................................................................44

Network address translation ......................................................................45

NAT overview.......................................................................................45

NAT security and static mappings........................................................45

One-to-one NAT ...................................................................................46

Colubris intercept.................................................................................46

NAT example........................................................................................47

Secure remote connectivity........................................................................49

Important.............................................................................................49

Local mode ................................................................................................50

Enabling local mode.............................................................................50

Defining customer accounts ................................................................51

Customizing local mode.......................................................................51

Centralized mode .......................................................................................52

Wireless bridging.......................................................................................53

RF extension ........................................................................................53

Building-to-building connections.........................................................53

Firmware management ..............................................................................55

Manual update .....................................................................................55

Scheduled install..................................................................................55

Using cURL..........................................................................................56

Configuration management........................................................................57

Manual management ...........................................................................57

Using cURL..........................................................................................58

Chapter 3

Installation 61

Anatomy ....................................................................................................62

Status lights.........................................................................................62

Reset button ........................................................................................63

Step 1: Preparation ....................................................................................64

IMPORTANT.........................................................................................64

Seating the wireless card .....................................................................64

Installing rubber feet............................................................................64

Mounting on a wall or ceiling...............................................................65

Step 2: Connect power...............................................................................66

Step 3: Configure the CN3000 ...................................................................66

Chapter 4

Scenarios 67

Before you begin........................................................................................68

Contents ..............................................................................................68

Scenario 1a: Hotspot with Internet access (local mode)............................69

How it works........................................................................................69

Configuration roadmap ........................................................................69

Scenario 1b: Custom public access interface (local mode)........................72

How it works........................................................................................72

Configuration roadmap ........................................................................73

Scenario 2a: Hotspot with Internet access (RADIUS) ................................75

How it works........................................................................................75

Configuration roadmap ........................................................................76

Scenario 2b: Custom public access interface (RADIUS) ............................79

How it works........................................................................................79

Configuration roadmap ........................................................................79

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Table of Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Scenario 2c: Supporting 802.1x/WPA customers ......................................80

How it works........................................................................................80

Configuration roadmap ........................................................................80

Scenario 3: Centralized authentication .......................................................81

How it works........................................................................................81

Configuration roadmap ........................................................................82

Scenario 4: Wholesaling with GRE.............................................................84

How it works........................................................................................84

Configuration roadmap ........................................................................85

Scenario 5: Wholesaling with VPNs...........................................................87

How it works.......................................................................................87

Configuration roadmap ........................................................................87

Scenario 6: Public/private access with VLANs ...........................................90

How it works.......................................................................................90

Configuration roadmap ........................................................................91

Chapter 5

Activating the public access interface 95

Overview ....................................................................................................96

Important.............................................................................................96

Local mode ..........................................................................................96

Supporting PDAs .................................................................................96

Step 1: Setting up the CN3000 RADIUS client ...........................................97

Configuration procedure ......................................................................97

Profile name.........................................................................................98

RADIUS profile settings .......................................................................98

Primary RADIUS server .......................................................................99

Secondary RADIUS server ...................................................................99

Step 2: Setting up CN3000 authentication ...............................................100

Configuration procedure ....................................................................100

CN3000 RADIUS authentication.........................................................101

Step 3: Setting up customer authentication .............................................102

Configuration procedure ....................................................................102

HTML-based user logins....................................................................103

Step 4: Setting up the RADIUS server......................................................104

Minimum setup..................................................................................104

More information ...............................................................................104

Step 5: Testing the public access interface ..............................................105

Chapter 6

Customizing the public access interface 107

Overview ..................................................................................................108

Common configuration tasks.............................................................108

Site map...................................................................................................109

Internal pages ....................................................................................110

External pages ...................................................................................112

How it works......................................................................................113

Customizing the internal pages................................................................114

Creating new internal pages...............................................................114

Important restrictions ........................................................................114

Loading new internal pages ...............................................................114

Examples ...........................................................................................116

Customizing the external pages ...............................................................117

Creating new external pages ..............................................................117

Activating new external pages............................................................117

Examples ...........................................................................................119

Using a remote login page .......................................................................121

Activating a remote login page...........................................................121

How it works......................................................................................123

Security issues...................................................................................123

Example .............................................................................................124

Location-aware authentication .................................................................125

How it works......................................................................................125

Example .............................................................................................125

Security..............................................................................................126

Configuration .....................................................................................127

iPass support...........................................................................................128

ASP functions ..........................................................................................129

Errors.................................................................................................129

RADIUS..............................................................................................129

Page URLs .........................................................................................130

Session status and properties............................................................130

Session quotas ..................................................................................133

iPass support.....................................................................................134

Message file.............................................................................................136

Source code for the internal pages ..........................................................138

Transport page...................................................................................140

Session page .....................................................................................140

Fail page.............................................................................................142

Chapter 7

Customizing CN3000 and customer settings 143

Overview..................................................................................................144

IMPORTANT.......................................................................................144

Standard RADIUS attributes ....................................................................145

Colubris Networks vendor-specific attributes ..........................................146

Attribute value summary....................................................................146

RADIUS limitations ............................................................................147

Terminate-Acct-Cause values.............................................................147

Creating a RADIUS client entry for the CN3000 .......................................149

Configuration settings........................................................................149

Managing shared secrets...................................................................149

Creating a profile for the CN3000 on the RADIUS server.........................150

Standard RADIUS attributes ..............................................................150

Colubris-AVPair attribute ...................................................................152

Access lists........................................................................................153

Custom SSL certificate ......................................................................158

Configuration file ...............................................................................159

MAC authentication............................................................................160

Default user idle timeout....................................................................160

Default user session timeout .............................................................161

Default user SMTP server ..................................................................161

Default user interim accounting update interval.................................161

Default user one-to-one NAT..............................................................162

Default user quotas............................................................................162

IPass login url....................................................................................163

Creating customer profiles on the RADIUS server...................................164

Supported RADIUS attributes ............................................................164

Colubris-AVPair attribute ...................................................................167

Group name.......................................................................................168

NAT port range...................................................................................168

SSID ..................................................................................................168

Access list..........................................................................................168

Colubris-Intercept ..............................................................................169

One-to-one NAT .................................................................................169

Quotas ...............................................................................................169

SMTP redirection ...............................................................................170

VLAN support ....................................................................................171

Creating administrator profiles on the RADIUS server.............................172

Supported RADIUS attributes ............................................................172

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Table of Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 8

NOC authentication 173

Main benefits ...........................................................................................174

Activating a remote login page with NOC authentication..........................175

Colubris-AVPair value string ..............................................................175

Placeholders ......................................................................................175

How it works............................................................................................177

Addressing security concerns..................................................................178

Securing the remote login page .........................................................178

Authenticating with the login application ...........................................178

Authenticating the CN3000 ................................................................178

NOC authentication list ......................................................................178

Setting up the certificates ........................................................................179

Install certificates on the web server..................................................179

Define attributes.................................................................................179

Install a certificate on CN3000 ...........................................................179

Authenticating customers ........................................................................180

Example 1 ..........................................................................................180

Example 2 ..........................................................................................180

Simple NOC authentication example ........................................................182

Configuration procedure ....................................................................182

Forcing customer logouts ........................................................................184

Chapter 9

SNMP interface 185

Configuring the SNMP interface...............................................................186

To configure SNMP options ...............................................................186

Attributes ...........................................................................................186

Agent .................................................................................................187

Traps..................................................................................................187

Security..............................................................................................187

Standard MIBs .........................................................................................188

Management consoles .......................................................................188

MIB II support details ........................................................................188

Colubris Enterprise MIB...........................................................................190

Chapter 10

SSL certificates 191

Overview of SSL certificates ....................................................................192

SSL authentication.............................................................................192

DNS and the CN3000’s SSL certificate...............................................192

About certificate warning messages ........................................................194

Installing a new SSL certificate ................................................................196

Step 1: Creating an SSL certificate...........................................................197

Certificate tools..................................................................................197

Obtaining a registered certificate........................................................197

Becoming a private CA.......................................................................199

Creating a self-signed certificate ........................................................202

Viewing the certificate........................................................................203

Verifying the certificate ......................................................................204

Step 2: Preparing the certificate chain .....................................................205

Step 3: Converting a certificate to PKCS #12 format................................206

Step 4: Installing a new SSL certificate....................................................207

Manual installation.............................................................................207

Automatic installation ........................................................................207

Step 5: Installing certificates in a browser ...............................................208

Internet Explorer ................................................................................208

Netscape Navigator............................................................................212

Chapter 11

Configuration parameters 213

Default wireless profile ............................................................................214

Access point ......................................................................................214

Radio .................................................................................................215

Wireless port .....................................................................................215

Wireless protection..........................................................................216

Dynamic keys.....................................................................................217

Wireless profile list ..................................................................................218

WLAN profiles....................................................................................218

Wireless profile settings ..........................................................................219

Access point ......................................................................................219

HTML-based user logins....................................................................220

RADIUS accounting ...........................................................................220

Wireless protection..........................................................................220

Traffic tunnelling (GRE)......................................................................221

Wireless links list.....................................................................................223

Wireless link configuration ................................................................223

Wireless link configuration ......................................................................224

Settings..............................................................................................224

Security..............................................................................................224

Addressing.........................................................................................224

Wireless neighborhood............................................................................225

Wireless neighborhood......................................................................225

LAN port configuration ............................................................................227

Link....................................................................................................227

Internet connection..................................................................................228

Assign IP address via.........................................................................228

Link settings ......................................................................................228

Network address translation (NAT) ....................................................229

PPPoE client ......................................................................................229

DHCP client........................................................................................231

Static addressing ...............................................................................232

DHCP services .........................................................................................233

DHCP services ...................................................................................233

DHCP server ............................................................................................234

Addresses..........................................................................................234

Settings..............................................................................................234

DHCP relay agent.....................................................................................235

DHCP relay agent settings .................................................................235

Bandwidth control....................................................................................236

Outgoing traffic throttle......................................................................236

IP routes ..................................................................................................237

Active routes......................................................................................237

Default routes ....................................................................................237

Persistent routes................................................................................238

DNS/WINS settings..................................................................................239

DNS servers.......................................................................................239

GRE tunnel List ........................................................................................240

Defined GRE tunnels ..........................................................................240

GRE tunnel definition ...............................................................................241

Tunnel settings...................................................................................241

NAT List ...................................................................................................242

NAT mappings ...................................................................................242

NAT static mapping..................................................................................243

Mapping definition.............................................................................243

RIP configuration.....................................................................................244

RIP.....................................................................................................244

Authentication options .............................................................................245

CN3000 RADIUS authentication.........................................................245

HTML-based user logins....................................................................246

RADIUS accounting ...........................................................................246

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Table of Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Authentication advanced options .............................................................247

Client station settings ........................................................................247

Location-aware authentication ...........................................................248

Access controller shared secret .........................................................249

Access controller mode .....................................................................249

NOC authentication ............................................................................249

Access controller ports ......................................................................249

IPass settings ....................................................................................249

RADIUS profiles list .................................................................................250

RADIUS profiles.................................................................................250

RADIUS profile definition.........................................................................251

Profile name.......................................................................................251

RADIUS profile settings .....................................................................251

Primary RADIUS server .....................................................................252

Secondary RADIUS server .................................................................252

Firewall - Preset .......................................................................................253

Firewall - Custom.....................................................................................254

General settings .................................................................................254

Services .............................................................................................255

Stateful matching...............................................................................255

PPTP client ..............................................................................................256

Connection.........................................................................................256

Account..............................................................................................256

Network Address Translation (NAT) ...................................................257

IPSec policy list .......................................................................................258

IPSec security policy database...........................................................258

IPSec new policy......................................................................................259

Preconfigured settings.......................................................................259

General ..............................................................................................260

Peer ...................................................................................................261

Authentication method.......................................................................262

Security..............................................................................................262

Preconfigured settings.......................................................................263

Certificates...............................................................................................264

[IPSec] Trusted CA certificates ..........................................................264

[IPSec] Manage CA certificates..........................................................265

[IPSec] Local certificate store ............................................................265

[IPSec] Manage local certificate.........................................................265

[IPSec] certificate revocation list .......................................................265

[IPSec] Manage certificate revocation list..........................................266

[SSL] Web Server Certificate .............................................................266

[SSL] View Web Server Certificate....................................................267

Users .......................................................................................................268

Local user list ....................................................................................268

Local config list........................................................................................269

Active attributes .................................................................................269

Local config attribute ...............................................................................270

Attribute.............................................................................................270

Access lists........................................................................................270

Custom SSL certificate ......................................................................271

Configuration file ...............................................................................272

MAC authentication............................................................................272

Default user idle timeout....................................................................273

Default user session timeout .............................................................273

Default user SMTP server ..................................................................274

Default user interim accounting update interval.................................274

Default user quotas............................................................................274

Default user idle timeout....................................................................275

Default user SMTP server ..................................................................275

Default user session timeout .............................................................275

Default user one-to-one NAT..............................................................276

IPass login url....................................................................................276

Internal pages ....................................................................................276

External pages ...................................................................................277

Remote login page.............................................................................278

Placeholders ......................................................................................278

NOC authentication ............................................................................279

Management tool.....................................................................................280

Administrator authentication..............................................................280

Web server.........................................................................................281

Security..............................................................................................281

SNMP ......................................................................................................282

Attributes ...........................................................................................282

Agent .................................................................................................283

Traps..................................................................................................283

Security..............................................................................................283

System time.............................................................................................284

System time.......................................................................................284

Satellites ..................................................................................................285

Satellites ............................................................................................285

Country....................................................................................................286

Country..............................................................................................286

Chapter 12

Building a cross-over cable 287

Wiring details...........................................................................................288

Chapter 13

The configuration file 289

Manually editing the config file ................................................................290

Retrieving/restoring the configuration file..........................................290

Configuration file structure ......................................................................291

Chapter 14

Sample setup - Backend software 293

Overview..................................................................................................294

CAUTION............................................................................................294

Prerequisites......................................................................................294

Equipment setup......................................................................................295

Topology ............................................................................................295

About the components.......................................................................296

Step 1: Retrieve software.........................................................................297

Server 1 .............................................................................................297

Server 2 .............................................................................................297

Step 2: Install configure software on Server 1 .........................................298

Windows 2000...................................................................................298

Colubris backend archive ...................................................................298

Steel-Belted Radius............................................................................298

Apache...............................................................................................299

Sample pages ....................................................................................300

PHP 4.2.3...........................................................................................301

MySQL...............................................................................................301

Configure the OBDC data source........................................................301

phpMyAdmin .....................................................................................303

Setting the path..................................................................................303

Start mysql ........................................................................................304

Test PHP ............................................................................................304

Create the sample RADIUS database .................................................304

Step 3: Configure Steel-Belted Radius on Server 1..................................305

Modify the default configuration files.................................................305

Start and connect to the server..........................................................305

Define a RAS client for the CN3000 ...................................................306

Create RADIUS profiles......................................................................308

Update the Steel-Belted Radius configuration....................................309

Step 4: Install web server certificates on Server 1 ...................................310

Install the public key certificate..........................................................310

Install the private key certificate.........................................................310

Verify the certificates .........................................................................310

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Table of Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Step 5: Install and configure the CN3000.................................................313

Start Apache ......................................................................................313

Assign a static address ......................................................................313

Configure RADIUS settings................................................................314

Certificates.........................................................................................316

Step 6: Install and configure software on Server 2 ..................................317

Step 7: Test the installation ......................................................................318

Step 8: Test the remote login page feature...............................................320

Enable the remote login feature .........................................................320

Test the remote login feature .............................................................321

Step 9: Test the NOC authentication feature.............................................323

Enable NOC authentication.................................................................323

Test NOC authentication.....................................................................324

Tools ........................................................................................................326

Batch files ..........................................................................................326

phpMyadmin......................................................................................326

Troubleshooting .......................................................................................329

Chapter 15

Sample setup - Steel-Belted Radius 331

Overview ..................................................................................................332

Prerequisites......................................................................................332

Equipment setup......................................................................................333

Topology ............................................................................................333

About the components.......................................................................333

Step 1: Install software on Server 1.........................................................335

Windows 2000...................................................................................335

Steel-Belted Radius............................................................................335

Internet Explorer ................................................................................335

Step 1: Add support for Colubris Networks attributes..............................336

Step 2: Connect to the Steel-Belted Radius server...................................337

Step 3: Create a RADIUS client profile for the CN3000 ............................339

Step 4: Define RADIUS profiles................................................................341

Defining a CN3000 profile..................................................................341

Defining a Customer profile ...............................................................343

Defining an CN3000 administrator profile.........................................345

Step 5: Define user accounts ...................................................................347

Defining user accounts ......................................................................347

Step 6: Install and configure the CN3000.................................................349

Assign a static address ......................................................................349

Configure RADIUS settings................................................................349

Step 7: Install Server 2.............................................................................352

Step 8: Test the installation ......................................................................353

Testing administrator logins...............................................................354

Chapter 16

Sample setup - Microsoft RADIUS 355

Overview ..................................................................................................356

Prerequisites......................................................................................356

Equipment setup......................................................................................357

Topology ............................................................................................357

About the components.......................................................................357

Step 1: Install software on Server 1.........................................................358

Windows 2000...................................................................................358

Internet Explorer ................................................................................358

Step 2: Define user accounts ...................................................................359

Step 3: Define groups and add users to them..........................................360

Step 4: Start the RADIUS server ..............................................................362

Step 5: Create a RADIUS client account...................................................363

Step 6: Create an access policy for the CN3000.......................................365

Step 7: Create an access policy for customers.........................................375

Step 8: Create an access policy for CN3000 admins................................385

Step 9: Install and configure the CN3000.................................................391

Assign a static address ......................................................................391

Configure RADIUS settings................................................................391

Step 10: Install Server 2 ..........................................................................393

Step 11: Test the installation....................................................................394

Testing administrator logins ..............................................................395

Chapter 17

Experimenting with NOC authentication 397

Overview..................................................................................................398

About the certificates .........................................................................398

Requirements ....................................................................................398

Equipment setup......................................................................................399

Topology ............................................................................................399

Step 1: Configure the CN3000 .................................................................400

Step 2: Configure the RADIUS profile for the CN3000 .............................401

Define the profile................................................................................401

Force authentication...........................................................................401

Step 3: Configure Server 1.......................................................................402

Install certificates...............................................................................402

Verifying that winhttpcertcfg.exe is installed......................................405

Granting access to the private key for noc-client ...............................406

Configuring the hosts file on Server 1 ...............................................407

Experimenting with noc-authenticate.vbs ................................................408

Retrieve noc-authenticate.vbs............................................................408

Running the program.........................................................................408

Examples ...........................................................................................408

Authentication results .............................................................................410

noc.h contents .............................................................................410

Returned values.................................................................................411

Examples ...........................................................................................413

Chapter 18

Regulatory, wireless interoperability,

and health information 415

Regulatory information ............................................................................416

Health Information...................................................................................418

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Table of Contents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Chapter 1: Introduction

Chapter 1

Introduction

This chapter provides an overview of this manual and other important

information.

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

How to use this guide

This section explains how this guide is organized. Use it as a jump off point to find the

information you need.

Chapter 2: How it works

This chapter covers important topics that will help you to understand how to install,

deploy, and manage a wireless public access network.

Chapter 3: Installation

This chapter explains how to install the CN3000.

Chapter 4: Scenarios

This chapter provides sample deployment strategies for common scenarios. These

scenarios will give you a good idea on how to approach your installation.

Chapter 5: Activating the public access interface

This chapter explains how to configure and start the public access interface.

Chapter 7: Customizing CN3000 and customer settings

This chapter presents a summary of the configuration settings you can define to

customize the operation of your public access network and customer accounts.

Chapter 9: SNMP interface

This chapter provides an overview of the SNMP interface and the MIBs supported by

the CN3000.

Chapter 10: SSL certificates

This chapter explains how to create and install SSL certificates to secure

communications with the CN3000.

Chapter 11: Configuration parameters

This chapter provides an overview of the configuration options provided by the

management tool for most of the important features on the CN3000. For information on

features not covered in this section, consult the online help.

Chapter 12: Building a cross-over cable

This chapter explains how to build a cross-over cable.

Chapter 13: The configuration file

This chapter provides an overview of the configuration file and explains how to edit it.

Chapter 14: Sample setup - Backend software

This chapter provides step-by-step instructions for installing and configuring the

necessary backend software to support a public access hotspot. You can use this setup

as a platform to experiment with the CN3000 feature set.

Chapter 15: Sample setup - Steel-Belted Radius

This chapter provides a walkthrough of a sample RADIUS configuration using Steel-

Belted Radius.

Chapter 16: Sample setup - Microsoft RADIUS

This chapter provides a walkthrough of a sample RADIUS configuration using

Microsoft's RADIUS server (called Internet Authentication Service), that comes with

Windows 2000 server and Windows 2000 Advanced server.

Chapter 17: Experimenting with NOC authentication

This chapter provides a sample setup that illustrates how the NOC authentication

feature works and lets you experiment with it. This sample is not a complete working

implementation, but rather a test setup that you can use to become familiar with the

feature.

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Feature summary

Wireless radio 802.11b

• IEEE 802.11b (2.4 Ghz Unlicensed ISM radio band)

• Frequency band: 2.4-2.4835 Ghz

• Modulation Technique: DSSS (CCK, DQPSK, DBPSK)

• Media Access Protocol: CSMA/CA with ACK

• Data Rate: 11 Mbps with fallback rates of 5.5, 2 and 1 Mbps

•Twomodels:

• Integrated antenna with jack for single external antenna

• Two reverse-polarity SMA jacks (no integrated antenna)

• Range:

• North America - 100 meters (300 feet)

• Europe - 100 meters (300 feet)

• Power output:

• North America - 200mW

• Europe 100mW

Compatibility • Communicates with all Wi-Fi certified wireless adapters

• Supports all operating systems

Networking • IEEE 802.1d compliant bridging

• DHCP Server (RFC 2131)

• PPPoE (RFC 2516)

• DHCP Relay (RFC 1542)

• DNS Relay

• DHCP Client

• IP Routing: Static and RIP v1 (RFC 1058), RIP v2 (RFC 1723)

• SMTP (E-Mail) redirection

• SNMP v1, v2

• RADIUS Client (RFC 2865 and RFC 2866)

• ICMP (RFC 792)

• ARP (RFC 826)

• CIDR (RFC 1519)

• GRE tunneling

• VLAN support (static or dynamicallky assigned per user via RADIUS)

• Up to 16 simultaneous wireless networks with distinct SSIDs/configurations

• Wireless bridging with up to 6 other units

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Security • 802.1x using EAP-MD5, EAP-TLS, EAP-TTLS, EAP-CIM,PEAP

• RADIUS AAA supporting EAP-MD5, PAP, CHAP, MSCHAP v2, MSCHAP v1

• Integrated VPN Client (PPTP, IPSec) for secure connection to a network operating

center (NOC)

• Secure connection (SSL) to on-board web-based management tool

• Customizable firewall with packet filtering based on protocol, port, and IP address

• NAT (RFC 1631) with port forwarding

• Security filter to block non-VPN traffic

• Traffic intercept

Authentication

and accounting

• Secure HTML login page

• Support for 802.1x using EAP-MD5, EAP-TLS, EAP-TTLS, PEAP

• RADIUS AAA supporting EAP-MD5, PAP, CHAP, MSCHAP v2, MSCHAP v1

• MAC-level authentication for non-HTTP devices

• Supports up to 100 concurrent users

• Provides accounting by time used or data transferred/received by customers

• Traffic quotas

Management • Web-based management tool

• Secure local and remote management via HTTPS and VPN

• Scheduled configuration upgrades from a central server

• Remote Syslog

• Web-based firmware upgrades

• Real-time status and information protocol traces

• Site survey and monitoring tool

• SNMP V1, V2 MIB-II with traps and Colubris MIB

• RADIUS Authentication Client MIB (RFC 2618)

Interfaces • IEEE 802.11b wireless port

• 10/100BaseTX Ethernet port

• 10BaseT Ethernet port

Operating

Environment

• Temperature: 0ºC to 55ºC

• Humidity: 15% to 95% non-condensing

Regulatory

Approvals

• FCC Part 15, CSA NRTL (C22.2 No 950, UL 1950)

• CE Mark (EN55022, EN55024, IEC 60950)

• Wi-Fi Certified

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Package contents

Make sure that your package contains the following items. If an item is missing, contact

your reseller.

Note:

Power supply, power cord, and antennas are sold separately.

Technical support

To obtain technical support, contact your reseller.

Information about Colubris Networks products and services, including documentation

and softwareupdates, isavailable on our web site at www.colubris.com.

CN3000 Wireless Access Controller

Power supply

Power cord

CD-ROM

Cross-over Ethernet cable (yellow)

Two screws, two anchors,

and four rubber feet

CN3000 warranty, license, and registration cards

Contains the CN3000 Administrator’s Guide, Colubris

Backend Archive, and the Colubris Enterprise MIB.

Chapter 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Syntax conventions

This manual uses the following formatting conventions.

Example Description

Network When referring to the management tool

web interface, items in bold type identify

menu commands or input fields. They are

presented exactly as they appear on

screen.

Network > Ports When referring to the management tool

web interface, submenus are indicated

using the ‘>’ sign. The example refers to

the Ports submenu, which is found under

the Network menu.

ip_address

Items in italics are parameters that you

must supply a value for.

use-access-list=

usename

Monospaced text is used to present

command line output, program listings, or

commands that are entered into

configuration files or profiles.

ssl-certificate=

URL

[%s] [%n] Items enclosed in square brackets are

optional. You can either include them or

not. Do not type the brackets.

Chapter 2: How it works

Chapter 2

How it works

Thischaptercoversimportanttopicsthatwillhelpyoutounderstandhow

to install, deploy, and manage a wireless public access network.

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Integrated access point and access controller

The CN3000 is a fully integrated access point/access controller. It creates a public

wireless network and provides fine-grained management and control of customer

sessions.

The CN3000 divides the network into two segments: public and protected.

• The public segment is composed of all client stations connected via wireless or to a

network linked to the CN3000’s LAN port.

• The protected segment is composed of all resources that are connected to the

CN3000’s Internet port. Access to these resources is controlled by configuration

settings on the CN3000. By default, these settings are:

• unauthenticated customers

cannot access any

protected network resources

• authenticated customers

can access all

protected network resources

While this default configuration may be suitable for a simple wireless hotspot that

provides access to the Internet, more complex setups require more fine-grained control

of the protected network resources. To support this, the CN3000 provides a fully-

configurable access list mechanism (page 153), which provides following benefits:

• The ability to make specific protected resources available to unauthenticated

customers. For example, when you want to have public web pages available to

customers before they log in, but locate the web server on a protected network.

• The ability to define a list of accessible resources for a single customer or an entire

group. For example, if you have several customer groups (teachers, students,

visitors), each can be given access to specific network resources.

• The ability to block specific addresses for a single customer or entire group. For

example, you could disallow traffic to file swapping Internet sites to cut down on

bandwidth usage.

Protected network

Internet port

Public network

Corporate network

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Scalable solution

The CN3000 can effectively be deployed in both small and large installations. The

following topologies illustrate potential deployments.

Simple

installation

In this installation the CN3000 provides a public access network and Internet

connection for a small location. Computers on the attached wired LAN also have access

to the network. No RADIUS server is required.

By making use of a RADIUS server (in a network oprating center), the same installation

can support user accounting and the delivery of custom content on a per-user basis.

LAN

LAN port

Internet port

LAN

LAN port

Internet port

VPN

server

RADIUS

server

Web/FTP

server

SMTP

server

Management

station

DNS/DHCP

server

Network Operating Center

Router/Firewall

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Multi-site

installation

This installation illustrates how to deploy the CN3000 in conjunction with CN320s to

provide wireless coverage at multiple geographically dispersed locations. The Internet is

used to provide centralized management, accounting, and customer authentication.

About this installation

• A single CN3000 is installed along with one or more CN300/CN320 satellites at sites

#1 and #3.

• At site #2, the CN3000 provides a wireless network and is also connected to a LAN to

enable a number of wired computers to act as public access stations.

• Each CN3000 is connected to the Internet via a broadband modem. The Internet

connection is protected by the CN3000’s firewall.

• A VPN connection is established between each CN3000 and the VPN server at the

NOC. This protects all management traffic exchanged between the CN3000s and the

NOC, which includes:

• RADIUS authentication and accounting data.

• Management session used to control CN3000 configuration and firmware updates.

• Centralized management of customer profiles on the RADIUS server enables

customers to login at any location.

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Multi-area

installation

This installation illustrates how to deploy the CN3000 in conjunction with CN320s to

provide wireless coverage at multiple locations within a building or campus. An Ethernet

LAN provides the backbone that interconnects all devices and enables centralized

management, accounting, and customer authentication.

About this installation

• A single CN3000 is installed along with one or more CN300/CN320 satellites at areas

#1 and #3.

• At area #2, the CN3000 provides a wireless network and is also connected to a LAN

to enable a number of wired computers to act as public access stations.

• Each CN3000 is connected to the NOC via the backbone LAN.

• Centralized management of customer profiles on the RADIUS server enables

customers to login to the wireless network in any area.

Chapter 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How it works - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The public access interface

The public access interface is the sequence of web pages that customers use to login to

the wireless network and to manage their sessions. Once logged in, customers

generally gain access to resources on the protected network.

Important:

The CN3000 public access interface is not functional until the CN3000 can

successfully connect to a RADIUS server and authenticate itself, unless you are running

in local mode (page 50). This means that although the login page for the public access

interface will appear, customers will get an error when they try to log in. This occurs

regardless of the method you are using to authenticate customers (local user list or via a

RADIUS server).

Important:

Customers using PDAs that only support a single browser window will have

difficulty using the public access interface in its standard configuration. To solve this

problem, see

“Supporting PDAs” on page 120

Important:

The total number of wireless client stations that can be active at any given

time is 255. However, only 100 customers can be logged into the public access interface

at one time. Customers that are not logged in can still make use of the wireless network

to access public resources (i.e., those resources specified in an access list “accept”

rule).

Logging in The public access interface is automatically activated when a customer attempts to

browse to a resource on the protected network after establishing a wireless link with the

CN3000. Initially, the customer will see the Login page. For example, this is the default

Protected network

Internet port

Public network

Corporate network

Unauthenticated

customer

Authenticated

customer

Table of contents

Other Colubris Networks Wireless Access Point manuals

Colubris Networks

Colubris Networks WAP200 - Small Business Wireless-G Access... User manual

Colubris Networks

Colubris Networks 5000 series User manual

Colubris Networks

Colubris Networks MARP-330r User manual

Colubris Networks

Colubris Networks CN3300 User manual

Popular Wireless Access Point manuals by other brands

LevelOne

LevelOne WAP-6202 Quick installation guide

Alvarion

Alvarion BreezeACCESS-EZ manual

Ubiquiti

Ubiquiti nano station M quick start guide

EnGenius

EnGenius EOA3630 quick start guide

Moxa Technologies

Moxa Technologies TAP-6226 user manual

HP Vectra 525 quick start guide

LevelOne

LevelOne WAB-7400 Brochure & specs

ALCON

ALCON ACP24 user manual

ZyXEL Communications

ZyXEL Communications NAP102 user guide

Steren

Steren COM-818 instruction manual

Ruckus Wireless

Ruckus Wireless C110 Quick setup guide

MyTek

MyTek MWA-105 user manual

NETGEAR

NETGEAR WAC104 Installation

TP-Link

TP-Link Auranet EAP120 user guide

Cisco

Cisco AP541N-A-K9 Administration guide

Grandstream Networks

Grandstream Networks GWN7625 Quick installation guide

ZyXEL Communications

ZyXEL Communications NWA5120 Series quick start guide

Hored

Hored RD-S800QCPE user manual

Colubris Networks CN3000 Service manual

Popular Wireless Access Point manuals by other brands